[OE-core][mickledore 06/20] linux/generate-cve-exclusions: fix mishandling of boundary values

[Steve Sakoman]

From: Yuta Hayama <hay...@lineo.co.jp>

affected_versions in kernel_cves.json does not mean "first affected version
to last affected version" but actually "first affected version to fixed
version". Therefore, the variable names, conditional expressions, and
CVE_STATUS descriptions should be fixed.

For example, when the script was run against v6.1, if affected_versions was
"xxx to 6.1", the output was "cpe-stable-backport: Backported in 6.1", but
this should be "fixed-version: Fixed from version 6.1".

Signed-off-by: Yuta Hayama <hay...@lineo.co.jp>
Signed-off-by: Alexandre Belloni <alexandre.bell...@bootlin.com>
(cherry picked from commit 2064b2f9b92e2dff45dab633598b5ed37145d0b6)
Signed-off-by: Steve Sakoman <st...@sakoman.com>
---
 .../linux/generate-cve-exclusions.py               | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py 
b/meta/recipes-kernel/linux/generate-cve-exclusions.py
index ef47f39c1b..b52c75c18c 100755
--- a/meta/recipes-kernel/linux/generate-cve-exclusions.py
+++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py
@@ -62,18 +62,18 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version"
             continue
 
         affected = data["affected_versions"]
-        first_affected, last_affected = re.search(r"(.+) to (.+)", 
affected).groups()
+        first_affected, fixed = re.search(r"(.+) to (.+)", affected).groups()
         first_affected = parse_version(first_affected)
-        last_affected = parse_version(last_affected)
+        fixed = parse_version(fixed)
 
         handled = False
-        if not last_affected:
+        if not fixed:
             print(f"# {cve} has no known resolution")
         elif first_affected and version < first_affected:
             print(f"# fixed-version: only affects {first_affected} onwards")
             handled = True
-        elif last_affected < version:
-            print(f"# fixed-version: Fixed after version {last_affected}")
+        elif fixed <= version:
+            print(f"# fixed-version: Fixed from version {fixed}")
             handled = True
         else:
             if cve in stream_data:
@@ -87,9 +87,9 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version"
                         # TODO print a note that the kernel needs bumping
                         print(f"# {cve} needs backporting (fixed from 
{backport_ver})")
                 else:
-                    print(f"# {cve} needs backporting (fixed from 
{last_affected})")
+                    print(f"# {cve} needs backporting (fixed from {fixed})")
             else:
-                print(f"# {cve} needs backporting (fixed from 
{last_affected})")
+                print(f"# {cve} needs backporting (fixed from {fixed})")
 
         if handled:
             print(f'CVE_CHECK_IGNORE += "{cve}"')
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188924): 
https://lists.openembedded.org/g/openembedded-core/message/188924
Mute This Topic: https://lists.openembedded.org/mt/101887334/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-